Re: PIX and Microsoft IAS

curtiskline · ‎02-27-2002

I've seen several references to the use of MS IAS as a RADIUS server for PIX VPN authentication. I think this would be a good solution for us, but I'm wondering if anyone has followed Cisco's instructions and could relate their experience with installing, configuring, and maintaining this setup.

Any information would be greatly appreciated.

Thanks,

Curtis

bsaltbaek · ‎02-27-2002

Hi Curtis.

Our company uses Windows 2000 IAS as authentication for our PIX (sw 6.1.0) with Cisco's VPN client 3.x to let our employes, customers and partners access our local network.

It tool me quite some time to set it up since Cisco does not give any setup information for Windows NT4 IAS or W2K IAS. They only describe how a RADIUS-server in general should behave.

But, now it works. And it works GREAT. We just have to add an Windows user account to a Windows user group and then the user do or do not have access to use VPN. Very simple.

Actually, we have different Windows user groups with dirrent users. Based on the group the user is in he is mapped to a specific "access-list" on the PIX. This way we can allow customers and partners access to parts of our local network via VPN by controlling it all in the Windows domain.

Feel free to ask for a setup example (I think I posted one some months ago here in the forum).

Regards,

Bjarne Saltbaek (W2K IAS wizard?!? :-D)

curtiskline · ‎02-27-2002

Bjarne,

Thanks for the info! Have you seen the following document on Cisco's website? It seems to cover the Windows IAS setup in some detail...

http://www.cisco.com/warp/public/110/cvpn3k_pix_ias.html

Also, do your VPN users run the Cisco VPN client or just the Microsoft built-in client?

Curtis

bsaltbaek · ‎02-27-2002

Hi Curtis.

No, I haven't seen/read that.

And yes - in "some details". It doesn't tell you about access-list-mapping.

The example only allows global access to the network.

If you ask me. The document is worthless :-(

(or usefull if you can live with low security)

What if your company has a dial-in pool as well as VPN-access. Is the users that uses VPN allowed to use dial-in. In the cisco example yes.

In our company: really bad security!

And, our users run the Cisco VPN Client 3.x (downloaded from http://www.cisco.com/cgi-bin/tablebuild.pl/vpnclient-3des) - not the unsecure PPTP in Windows 2000 (IMHO).

Regards,

Bjarne

curtiskline · ‎02-27-2002

Bjarne,

Any chance that my Windows server admin coworker and/or I could email you for more info on your environment and config? If so, send me an email at ckline@housing.ucsb.edu and I'll reply.

Thanks for your help!

Curtis

bsaltbaek · ‎03-01-2002

Hi Curtis.

I haven't forgot your request.

I'm putting down a webpage with addon screen dumps, how to set up an VPN solution with W2K IAS, PIX and 3 interfaces (outside,inside,dmz) and NAT.

I'm allmost half way :-)

Regards,

Bjarne

rlew · ‎03-07-2002

Hi Bjarne,

I am currently looking at the same solution for Cisco VPN Client, and will be much appreciated if you can keep me posted.

rlew@mdwfcu.com

Regards

Ryan

jmcburnett · ‎04-23-2002

I am in the same position Curtis is. I have not seen a post with your example.

Would you repost?

Thanks,

Jim

bsaltbaek · ‎04-24-2002

Greetings all.

Have a look at a web page I have set up at:

http://www.saltbaek.dk/cisco/

This page is a combination of Cisco's poor instructions at http://www.cisco.com/warp/public/110/cvpn3k_pix_ias.html and my companys VPN setup.

Please use the email on the webpage for comments/replys.

Sorry to Curtis for the late reply (I have been busy :-))

Regards,

Bjarne